Jump to content

Process Suspend/Process Resume UDF

The Kandie Man

By The Kandie Man,
in AutoIt Example Scripts

 Share

Recommended Posts

The Kandie Man Universalist

The Kandie Man

Posted
Posted (edited)

Well, I was looking on the internet for ways to suspend processes and spent a great deal of time trying to find API commands to do this. I found many thread suspend functions and other things, but not really any process suspend functions. I finally found a process suspend NTAPI function NtSuspendProcess(). To my great distaste I could find absolutely nothing documenting the NTAPI functions, nothing at all. Hours of Googling and i finally found a page that has the NTAPI functions listed. No thanks to Microsoft. :S You would think they would document functions that they took the time to write so that people could actually use them.

To save others time, here is a page with the NTAPI functions listed:

http://www.metasploit.com/users/opcode/syscalls.html

Here is a UDF to call the system API to suspend or resume a process. No more systeminternals 104kb PsSuspend.exe.

Func _ProcessSuspend($process)
$processid = ProcessExists($process)
If $processid Then
    $ai_Handle = DllCall("kernel32.dll", 'int', 'OpenProcess', 'int', 0x1f0fff, 'int', False, 'int', $processid)
    $i_sucess = DllCall("ntdll.dll","int","NtSuspendProcess","int",$ai_Handle[0])
    DllCall('kernel32.dll', 'ptr', 'CloseHandle', 'ptr', $ai_Handle)
    If IsArray($i_sucess) Then 
        Return 1
    Else
        SetError(1)
        Return 0
    Endif
Else
    SetError(2)
    Return 0
Endif
EndFunc

Func _ProcessResume($process)
$processid = ProcessExists($process)
If $processid Then
    $ai_Handle = DllCall("kernel32.dll", 'int', 'OpenProcess', 'int', 0x1f0fff, 'int', False, 'int', $processid)
    $i_sucess = DllCall("ntdll.dll","int","NtResumeProcess","int",$ai_Handle[0])
    DllCall('kernel32.dll', 'ptr', 'CloseHandle', 'ptr', $ai_Handle)
    If IsArray($i_sucess) Then 
        Return 1
    Else
        SetError(1)
        Return 0
    Endif
Else
    SetError(2)
    Return 0
Endif
EndFunc

@The Development Team

I think it would be a good idea to add these to the process.au3 include file.

You can call the function with the process name or PID

_ProcessSuspend("notepad.exe")

or

_ProcessSuspend(467)

The returns are as follows:

0 = Failure

1 = Sucess

@error = 1 means that it failed because something errored when calling the dll

@error = 2 means that it failed because the process was not found or is not running

Sorry i didn't do a standard UDF writeup, didn't have time. If the development team is interested in adding this function i will happily write the standard UDF documentation for it.

Important: This function will only run on Windows XP, Windows 2003 and Windows Vista.

Edited by The Kandie Man

"So man has sown the wind and reaped the world. Perhaps in the next few hours there will no remembrance of the past and no hope for the future that might have been." & _"All the works of man will be consumed in the great fire after which he was created." & _"And if there is a future for man, insensitive as he is, proud and defiant in his pursuit of power, let him resolve to live it lovingly, for he knows well how to do so." & _"Then he may say once more, 'Truly the light is sweet, and what a pleasant thing it is for the eyes to see the sun.'" - The Day the Earth Caught Fire

Link to comment
Share on other sites
ptrex Universalist

ptrex

Posted
Posted

@The Kandie Man

This is perfect :)

I tested it on SKYPE and works like a charm.

This desurves some stars !!

regards

ptrex

Contributions :Firewall Log Analyzer for XP - Creating COM objects without a need of DLL's - UPnP support in AU3Crystal Reports Viewer - PDFCreator in AutoIT - Duplicate File FinderSQLite3 Database functionality - USB Monitoring - Reading Excel using SQLRun Au3 as a Windows Service - File Monitor - Embedded Flash PlayerDynamic Functions - Control Panel Applets - Digital Signing Code - Excel Grid In AutoIT - Constants for Special Folders in WindowsRead data from Any Windows Edit Control - SOAP and Web Services in AutoIT - Barcode Printing Using PS - AU3 on LightTD WebserverMS LogParser SQL Engine in AutoIT - ImageMagick Image Processing - Converter @ Dec - Hex - Bin -Email Address Encoder - MSI Editor - SNMP - MIB ProtocolFinancial Functions UDF - Set ACL Permissions - Syntax HighLighter for AU3ADOR.RecordSet approach - Real OCR - HTTP Disk - PDF Reader Personal Worldclock - MS Indexing Engine - Printing ControlsGuiListView - Navigation (break the 4000 Limit barrier) - Registration Free COM DLL Distribution - Update - WinRM SMART Analysis - COM Object Browser - Excel PivotTable Object - VLC Media Player - Windows LogOnOff Gui -Extract Data from Outlook to Word & Excel - Analyze Event ID 4226 - DotNet Compiler Wrapper - Powershell_COM  - New

Link to comment
Share on other sites
The Kandie Man Universalist

The Kandie Man

Posted
  • Author
Posted (edited)

Thanks guys, i am glad you like it. It took me forever to find the function and once i found it i had to find documentation on it. The last thing i wanted was for someone else to suffer the same painful process to get this to work. I really appreciate you rating it.

I think it would be good to add this to the AutoIt Process.au3 include file. It is a bit lacking right now imo and i think this is just the thing to help spruce it up.

P.S.

I just wanted to add one more thing. The function above will only run on windows XP and up. This includes Windows XP, Windows 2003 and Windows Vista.

Edited by The Kandie Man

"So man has sown the wind and reaped the world. Perhaps in the next few hours there will no remembrance of the past and no hope for the future that might have been." & _"All the works of man will be consumed in the great fire after which he was created." & _"And if there is a future for man, insensitive as he is, proud and defiant in his pursuit of power, let him resolve to live it lovingly, for he knows well how to do so." & _"Then he may say once more, 'Truly the light is sweet, and what a pleasant thing it is for the eyes to see the sun.'" - The Day the Earth Caught Fire

Link to comment
Share on other sites
RazerM Universalist

RazerM

Posted
Posted

Nice function Kandie Man! Works perfectly

My Programs:AInstall - Create a standalone installer for your programUnit Converter - Converts Length, Area, Volume, Weight, Temperature and Pressure to different unitsBinary Clock - Hours, minutes and seconds have 10 columns each to display timeAutoIt Editor - Code Editor with Syntax Highlighting.Laserix Editor & Player - Create, Edit and Play Laserix LevelsLyric Syncer - Create and use Synchronised Lyrics.Connect 4 - 2 Player Connect 4 Game (Local or Online!, Formatted Chat!!)MD5, SHA-1, SHA-256, Tiger and Whirlpool Hash Finder - Dictionary and Brute Force FindCool Text Client - Create Rendered ImageMy UDF's:GUI Enhance - Enhance your GUIs visually.IDEA File Encryption - Encrypt and decrypt files easily! File Rename - Rename files easilyRC4 Text Encryption - Encrypt text using the RC4 AlgorithmPrime Number - Check if a number is primeString Remove - remove lots of strings at onceProgress Bar - made easySound UDF - Play, Pause, Resume, Seek and Stop.
Link to comment
Share on other sites
RazerM Universalist

RazerM

Posted
Posted

suspend windows media player :) it keeps repeating a small portion of the current song.

My Programs:AInstall - Create a standalone installer for your programUnit Converter - Converts Length, Area, Volume, Weight, Temperature and Pressure to different unitsBinary Clock - Hours, minutes and seconds have 10 columns each to display timeAutoIt Editor - Code Editor with Syntax Highlighting.Laserix Editor & Player - Create, Edit and Play Laserix LevelsLyric Syncer - Create and use Synchronised Lyrics.Connect 4 - 2 Player Connect 4 Game (Local or Online!, Formatted Chat!!)MD5, SHA-1, SHA-256, Tiger and Whirlpool Hash Finder - Dictionary and Brute Force FindCool Text Client - Create Rendered ImageMy UDF's:GUI Enhance - Enhance your GUIs visually.IDEA File Encryption - Encrypt and decrypt files easily! File Rename - Rename files easilyRC4 Text Encryption - Encrypt text using the RC4 AlgorithmPrime Number - Check if a number is primeString Remove - remove lots of strings at onceProgress Bar - made easySound UDF - Play, Pause, Resume, Seek and Stop.
Link to comment
Share on other sites
marfdaman Universalist

marfdaman

Posted
Posted (edited)

suspend windows media player :) it keeps repeating a small portion of the current song.

lol, works on my one too!

Edit: obviously these should be included.

Edited by marfdaman

Don't take my pic to serious...~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~You Looked, but you did not see!~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Link to comment
Share on other sites
The Kandie Man Universalist

The Kandie Man

Posted
  • Author
Posted

Very Interesting process controlling code.

Note that you may want to close the handle of the OpenProcess Call.

DllCall('kernel32.dll', 'ptr', 'CloseHandle', 'ptr', $ai_Handle)

I would also recommend changing the Return 2 to SetError(1) for easy usage.

:)

Thanks Mhz. I made the adjustment that you suggested and added the close handle into it. I completely forgot to close the handle :S

Thanks guys for your support. I am glad i could contribute something to this community. I would really like to see something like this added to the process.au3. I think it would be a great edition.

"So man has sown the wind and reaped the world. Perhaps in the next few hours there will no remembrance of the past and no hope for the future that might have been." & _"All the works of man will be consumed in the great fire after which he was created." & _"And if there is a future for man, insensitive as he is, proud and defiant in his pursuit of power, let him resolve to live it lovingly, for he knows well how to do so." & _"Then he may say once more, 'Truly the light is sweet, and what a pleasant thing it is for the eyes to see the sun.'" - The Day the Earth Caught Fire

Link to comment
Share on other sites
  • 3 weeks later...
  • Moderators
SmOke_N Universalist

SmOke_N

Posted
  • Moderators
Posted

Both functions in one.

Func _ProcessNT($iPID, $iSuspend = True)
    If IsString($iPID) Then $iPID = ProcessExists($iPID)
    If Not $iPID Then Return SetError(2, 0, 0)
    Local $ai_Handle = DllCall("kernel32.dll", 'int', 'OpenProcess', 'int', 0x1f0fff, 'int', False, 'int', $iPID)
    If $iSuspend Then
        Local $i_sucess = DllCall("ntdll.dll","int","NtSuspendProcess","int",$ai_Handle[0])
    Else
        Local $i_sucess = DllCall("ntdll.dll","int","NtResumeProcess","int",$ai_Handle[0])
    EndIf
    DllCall('kernel32.dll', 'ptr', 'CloseHandle', 'ptr', $ai_Handle)
    If IsArray($i_sucess) Then Return 1
    Return SetError(1, 0, 0)
EndFunc

Thanks TKC.

Common sense plays a role in the basics of understanding AutoIt... If you're lacking in that, do us all a favor, and step away from the computer.

Link to comment
Share on other sites
  • 1 year later...
oliver369 Seeker

oliver369

Posted
Posted (edited)

SmOke_N your example works great however I do have one question; why does the function not work on all processes such as winlogon.exe?

EDIT: Not sure whether I should post this here, if not please could someone redirect me ?

Edited by oliver369
Link to comment
Share on other sites
  • Moderators
SmOke_N Universalist

SmOke_N

Posted
  • Moderators
Posted

SmOke_N your example works great however I do have one question; why does the function not work on all processes such as winlogon.exe?

EDIT: Not sure whether I should post this here, if not please could someone redirect me ?

Why would it work on it? Why would you want it to work on it?

Common sense plays a role in the basics of understanding AutoIt... If you're lacking in that, do us all a favor, and step away from the computer.

Link to comment
Share on other sites
oliver369 Seeker

oliver369

Posted
Posted (edited)

Well the answer is pretty straight forward: for removing certain viruses (especially Vundo type) there is a nice removal process here: http://vil.nai.com/vil/Content/v_127690.htm

However the procedure involves using Process Explorer or one of the other tools written by Sysinternals (now owned by Microsoft for those who don't know). I did try asking permission for including one of the tools in my program which ended in this answer:

Thank you for your email. We don't allow any redistribution of any of our tools.

:(

I know I'm always the one that is a pain in the ass. :)

Edited by oliver369
Link to comment
Share on other sites
  • Moderators
SmOke_N Universalist

SmOke_N

Posted
  • Moderators
Posted (edited)

Well the answer is pretty straight forward: for removing certain viruses (especially Vundo type) there is a nice removal process here: http://vil.nai.com/vil/Content/v_127690.htm

However the procedure involves using Process Explorer or one of the other tools written by Sysinternals (now owned by Microsoft for those who don't know). I did try asking permission for including one of the tools in my program which ended in this answer:

Thank you for your email. We don't allow any redistribution of any of our tools.

:(

I know I'm always the one that is a pain in the ass. :)

Too make a long story short, I can't imagine your process having rights to be able to suspend a lower level service such as the one you're asking about with the above shown UDF. Edited by SmOke_N

Common sense plays a role in the basics of understanding AutoIt... If you're lacking in that, do us all a favor, and step away from the computer.

Link to comment
Share on other sites
oliver369 Seeker

oliver369

Posted
Posted (edited)

Thanks for the answer, I guess it's back to the drawing board for me... I think I will have to get someone to develop a command line tool for me.

EDIT: Found a way to do so, use Nopey to launch the compiled script as system (nopey.exe child -d winlogon script.exe) then you are able to pause processes such as winlogon.exe

Edited by oliver369
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...